I've got an endpoint tied to a VM that is getting triggered unintentionally and I'm trying to figure out the source/client that is triggering this application.
What is the most efficient way to setup logging of HTTP traffic on an Azure VM? I don't need a lot of detail, mostly interested in the IP address of the client that is hitting this endpoint.
For me i think you should have a firewall in-front of your VM ... which will detect the IP and maybe block it if you wish: https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal
Also you should use Azure Monitor or App insights to have an eye on what is happening on your VM: https://learn.microsoft.com/en-us/azure/azure-monitor/vm/vminsights-enable-portal
Hope that my answer helped you .... Dont hesitate to vote me up if it did ;)
Related
Due to a recent layoff I got bombarded to azure admin out of the blue. I am pretty new to this and haven't yet got the chance to follow an admin course.
Facing the following issue: We host a couple of websites on an Azure Windows Server VM running IIS. These are accessible through an application gateway with a public IP. I was asked to add two new listeners for a new part of the website. I created the appropriate targeting in the backend pool, created http and https settings and added the listeners and Rules. However, when browsing to the site, it throws a 502 error and when i check the backend health, it gives below error.
Cannot connect to backend server. Check whether any NSG/UDR/Firewall is blocking access to server. Check if application is running on correct port.
I opened up the appropriate inbound ports on the NSG of the AZ Web interface on the VM and also on the local firewall of the server hosting IIS. AFAIK there are no additional NSG rules on the application gateway.
What am i missing here? :s
I have extensive experience working with Application Gateways and I can tell you that a 502 Bad Gateway means something is definitely wrong at the backend or misconfigured AGW settings - that's what the error says, so nothing surprising. From my experience here are different scenarios I've faced for this error:
Backend server can't be reached due to an NSG Rule controlling access from the AGW subnet to the backend subnet.
Backend server can be reached but the port is not opened at the server's firewall.
Backend server can be reached, port is opened but application is not listening on those ports or application is not even running.
AGW listeners were misconfigured.
Here's what you can try:
First validate whether the Application and VM are fine by trying to access the application from another VM in the same subnet.
Next, try to get a VM in a different subnet and try to access the application, to mimic the AGW trying to connect to the backend. This will help you validate whether your NSGs are properly configured.
Lastly, revisit all the AGW settings and look for any misconfiguration in the listeners or other settings. (Added this based on your comments).
Taking this approach to troubleshooting will quickly help you identify which layer is causing the issue. Also, it would be a good practice to start documenting all AGW errors you get along your journey and also the remediation steps etc. This will help you tremendously in the future - this is not the last time you'll face issues with your AGW!
If you've checked your firewall issues and it's not solving the problem it could be user permissions on your VM.
I then ran the following command in ps and it sorted it for me.
** netsh http add urlacl url="http://*:{port}/" user="Everyone" **
A good test to see if this will work is if you can access your app using invoke-webrequest and using a localhost URI, but not using the server's NIC Private IP.
You'll also need to set your host address to use the wildcard in your config file.
I'm running an azure function which gets data from an API and stores it in a blob. Everything worked fine and stopped working out of nowhere. We then got in contact with our provider and they told us they made some changes in their API. After we made the necessary changes in our code,started getting an IP denied error from their part. I then searched and found the possible outbound IP addresses for the Azure Function. They whitelisted the whole list and still
They aren't getting any requests from those IP's,
We are not able to access that data for the same reason our IP is denied.
We've been running the code in a local machine and it works completely fine, but this is just a temporary fix and we want to keep everything in the cloud.
I've been stuck with this for about 3 weeks. I've looked into different solutions and I found about Azure Logic Apps and Azure Service Fabric.
Is there something missing in my Azure Function that isn't allowing me to make requests to the API? Am I using the wrong outbound IP? Also, if I use any of the other two services, will I encounter with the same problem? I did some research on them and I think they both also use multiple outbound IP addresses, so I'm worried I'll get the same problem.
Using NAT gateway you can specify a static IP address for outbound traffic, your function app need to be attached on a subnet which is not available for consumption plan.
Here is where you should be getting the Azure IP address ranges from. Azure Functions originate from the App Service Plan ranges. Note that this is updated weekly, things change, but not too often. Your provider will need to open all the relevant ranges and keep up to date with any changes. If your solution is not mission critical with a high SLA, then having your service provider open the relevant ranges and deal with failures, updating the ranges on an ad-hoc basis should be fine.
Secondly, if you have a good relationship with the provider, ask them to check the firewall, they will be able to give you an indication of the IP's getting blocked by checking the firewall logs. This will help you find the right range.
The only guaranteed way to solve this in a mission critical solution is to run your Azure Functions from an dedicated app service plan with a dedicated IP address. This is an expensive option but will be the most robust.
Additional helpful information here on how App Services works with IPs can be found here.
I have an Azure website (website.mycompany.com) that uses a WCF service for some data. The WCF Service sits behind an Azure Traffic Manager (service.mycompany.com) running in "priority mode", with 2 instances of the service for failover handling. With priority mode, the primary always serves up the data first, unless it's unavailable. If unavailable, the 2nd instance will reply.. and so on down the line.
We've had a few instances recently where the primary endpoint for service.mycompany.com was offline. For "partnerships" who point to service.mycompany.com, they detected the switch and all was fine. Lately however, our own site (website.mycompany.com) does NOT detect the traffic manager switch, and the website has errors since the service fails to reply.
Our failover endpoint in these instances is up, and in the past the Azure website detected the switch, it's only recently we've encountered this issue. Has anyone experienced similar issues? Are there perhaps any DNS changes that we need to tweak in our Azure Website to help it detect TTL's?
Has anyone experienced similar issues?
Do you mean the traffic manager can't switch to another endpoint immediately?
Traffic manager works at the DNS level, here are the reasons why traffic manager can't switch immediately:
The duration of the cache is determined by the 'time-to-live' (TTL) property of each DNS record. Shorter values result in faster cache expiry and thus more round-trips to the Traffic Manager name servers. Longer values mean that it can take longer to direct traffic away from a failed endpoint.
The traffic manager endpoint monitor effects the response time. More information about how azure traffic manager works, please refer to the link.
The following timeline is a detailed description of the monitoring process.
Also we can check traffic manager profile using nslookup and ipconfig in windows. About how to vertify traffic Manager settings, please refer to the link.
By the way, because traffic manager works at the DNS level, it cannot influence existing connections to any endpoint. When it directs traffic between endpoints (either by changed profile settings, or during failover or failback), Traffic Manager directs new connections to available endpoints. However, other endpoints might continue to receive traffic via existing connections until those sessions are terminated. To enable traffic to drain from existing connections, applications should limit the session duration used with each endpoint.
I'm going to refer you to my answer here because while the situation isn't exactly the same, it seems like it could have the same solution. To summarize, I find it likely that you have a connection left open to the down service that isn't being properly closed. This connection is independent of TTL, which only deals with DNS caching, and as such bypasses Traffic Manager completely.
I have an Azure Scheduler Job which calls a REST endpoint over https.
The REST API is locked down by IP address so it's currently (and understandably) failing. So I need to add the Scheduler Job IP address to the API firewall.
The problem I have is I can't seem to find the IP address anywhere in the Azure Scheduler web interface.
Am I missing something or is it not possible to get the IP address in same way you can for other Azure resources (web apps, worker roles etc)?
Unfortunately Azure Scheduler does not reserve static IP, so the IP will change from deployment to deployment as we ship new changes. You may consider Logic Apps, which also supports calling REST endpoint over HTTPs, and does have static IP. See this link for more details: https://learn.microsoft.com/en-us/azure/app-service-logic/app-service-logic-limits-and-config?toc=%2fazure%2flogic-apps%2ftoc.json#configuration
Very late to the show but incase anyone else stumbles across this again, the IP addresses from the Azure Resource Explorer should get you what you need. See here for details on getting the IPs. You can also add the IPs for the relevant Azure Data Centers to your allow list if necessary.
I'm having some troubles sending telemetry data of my web application because of firewall rules are configured by IP, and the thing is that the IP for the App Insights are constantly changing (As far as I know this is because the App Insights services are behind a CDN so the IP depends on where the requests come from).
The question is if somebody knows if there is an IP range, or a lists of IPs that the IT people of my client could use to configure the firewall in order to keep allowing the telemetry traffic.
Many thanks in advance!
For anyone who ends up here in the future, they do have a list of ip address used by application insights available here: https://learn.microsoft.com/en-us/azure/application-insights/app-insights-ip-addresses
There are a ton more on the documentation page but here are the main telemetry IP's it uses:
40.114.241.141
104.45.136.42
40.84.189.107
168.63.242.221
52.167.221.184
52.169.64.244
All on port 443
I asked about this, and it does not appear that the specific IP addresses are publicly shared at this time.
The recommendation would be, if possible, to filter by host name (dc.services.visualstudio.com).
Moving to static IPs is on the team's backlog, but no specific ETA can be given at this point. We'll update this thread once we have static IPs with ranges that we can share.